PHP Utilities

PHP is a difficult programming language that looks and feels easy. It is
flawed, but it was in
the right place at the right time, and it's now fairly popular. With the
advent of web frameworks like Pylons and
Django, PHP's popularity finally seems to
be declining, but if you do any amount of web development, you will probably
still end up working with PHP. When that happens, this page may make your
life easier.

I have written several small libraries in PHP, and most of the time I
just quietly uploaded them to my FTP server and said nothing
more unless someone asked. None are particularly well-documented, and
they're not really intended to be used by people who can't read the source
code, but they are all free software.

In order to make these libraries more accessible to busy web developers,
I have created this list of short descriptions for each one.

By default, the data for PHP's $_SESSION variable get stored to the
same place on the server (/tmp). In a virtual hosting environment, this
can allow a malicious user to coerce other applications on the same server
to corrupt your application's $_SESSION variable (for example, if both
application have a $_SESSION['is_authenticated'] variable). This module
tries to work around that situation by doing HMAC-SHA1 authentication of
the data in the $_SESSION variable. Note: This module is quite
fragile, and there are probably better ways to solve the same problem.

Step 1. Include this in your application.
Step 2. Use $_REQUEST[null] wherever you would normally use $_REQUEST (e.g. $_REQUEST[null]['foo'] instead of $_REQUEST['foo']).Result: No more worrying about whether or not magic_quotes_gpc is enabled!
This also works for $_GET, $_POST, and $_COOKIE.

When you include nomagicquotes.php, it makes a copy of $_REQUEST inside $_REQUEST[null]. If magic_quotes_gpc is turned on, it calls stripslashes() on each of the values it copies, so that any backslashes added by PHP's "magic_quotes_gpc" feature are removed. If magic_quotes_gpc is turned off, stripslashes() is not called, so backslashes added by real users do not get mangled. The idea is that $_REQUEST[null] always contains the real values entered by the user, no matter what magic_quotes_gpc is set to.

I chose [null], because it is one of the few values that (as far as I
can tell) cannot be specified by externally over HTTP, so there's no namespace
conflict.